Bug 123369 - devel/git crashes with use-after-free in git-fetch
Summary: devel/git crashes with use-after-free in git-fetch
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Eric Anholt
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-05-03 17:00 UTC by Coleman Kane
Modified: 2008-06-16 18:40 UTC (History)
0 users

See Also:

Attachments
patch-builtin-fetch.c (780 bytes, text/x-patch)
2008-05-08 12:46 UTC, Coleman Kane 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Coleman Kane freebsd_committer freebsd_triage 2008-05-03 17:00:07 UTC 
	When using git-fetch (or via git-pull), the program git-fetch crashes
with a Bus Error. I tracked it down to the following GDB trace:

(gdb) bt
#0  0x0000000800e65103 in malloc_usable_size () from /lib/libc.so.7
#1  0x0000000800e65727 in free () from /lib/libc.so.7
#2  0x00000000004adff3 in transport_unlock_pack (transport=0x70f080)
    at transport.c:811
#3  0x00000000004241ac in unlock_pack () at builtin-fetch.c:56
#4  0x0000000800eb65a9 in __cxa_finalize () from /lib/libc.so.7
#5  0x0000000800e69567 in exit () from /lib/libc.so.7
#6  0x0000000000404bf4 in handle_internal_command (argc=2,
argv=0x7fffffffe5b8)
    at git.c:379
#7  0x0000000000404cb9 in main (argc=2, argv=0x7fffffffe5b8) at git.c:414

It seems that transport_unlock_pack is trying to re-free the argument being
passed to free().

Fix: 

The fix has already hit the git tree (but was not in 1.5.5.1):
http://repo.or.cz/w/git.git?a=commit;h=7b7f39eae6ab0bbcc68d3c42a5b23595880e528f
How-To-Repeat:    1) Install the latest devel/git.
   2) Try using git-fetch or git-pull to update a git.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2008-05-03 17:00:12 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->anholt

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Coleman Kane freebsd_committer freebsd_triage 2008-05-08 12:46:56 UTC 
Ouch. It looks like MIME ate my patch.

Here's another try...

-- 
Coleman Kane
Comment 3 dfilter service freebsd_committer freebsd_triage 2008-06-16 18:33:02 UTC 
wxs         2008-06-16 17:32:57 UTC

  FreeBSD ports repository

  Modified files:
    devel/git            Makefile distinfo pkg-plist 
    devel/git/files      patch-Makefile 
  Log:
  Update to 1.5.5.4 [1].
  Fix crash in git-fetch [2].
  Don't remove directories listed in BSD.local.dist [3].
  Fix "git help foo" bug [4][5].
  
  PR:             ports/124559 [1], ports/123369 [2], ports/121869 [3],
                  ports/123318 [4], ports/124301 [5]
  Submitted by:   rea-fbsd@codelabs.ru [1], cokane [2], rafan [3],
                  potatosaladx@gmail.com [4], keramida [5]
  
  Revision  Changes    Path
  1.29      +1 -1      ports/devel/git/Makefile
  1.18      +6 -6      ports/devel/git/distinfo
  1.8       +15 -5     ports/devel/git/files/patch-Makefile
  1.16      +0 -2      ports/devel/git/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Wesley Shields freebsd_committer freebsd_triage 2008-06-16 18:34:57 UTC 
State Changed
From-To: open->closed

This should be fixed in the latest version.  If it is not please let me 
know.